Microsoft 365 Business Premium: Fix Setup & Security Issues

MFA is the single most effective control against account takeover in Microsoft 365 Business Premium environments. According to Microsoft's own telemetry, MFA blocks over 99% of automated credential-stuffing attacks. And yet, it's still not universally enforced on freshly created tenants.

Here's the cleanest way to enforce MFA across your entire organization:

1. Go to admin.microsoft.com → Settings → Org Settings → Security & Privacy → Multi-factor authentication.
2. Click "Manage multi-factor authentication settings", this takes you to the legacy per-user MFA panel at account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx.
3. For a simpler, policy-driven approach that ships with Business Premium, go to entra.microsoft.com → Protection → Conditional Access → Policies.
4. Click "+ New policy" and create a policy named "Require MFA – All Users". Under Users, select All users (exclude your break-glass account). Under Target resources, select All cloud apps. Under Grant, select Require multifactor authentication.
5. Set the policy to Report-only first to see who would be affected, run it for 24–48 hours, then flip it to On.

Once this policy is live, any user who tries to sign in without a registered MFA method will be prompted to register one. If you see sign-in failures in the Azure AD sign-in logs (at entra.microsoft.com → Monitoring → Sign-in logs), look for the error code 50076 (MFA required but user hasn't registered) or 50158 (conditional access policy blocked the sign-in). These event codes tell you exactly what's happening at the authentication layer.

When the policy is working correctly, users will see a prompt in Microsoft Authenticator on their phone every time they sign in from a new device or location. That's exactly what you want to see.

Microsoft 365 Business Premium includes Microsoft Defender for Business, a full endpoint detection and response (EDR) platform designed specifically for small and medium-sized businesses. But the protection doesn't activate automatically. You need to onboard your endpoints and apply security policies.

Start here:

1. Go to security.microsoft.com (the Microsoft Defender portal).
2. In the left nav, expand Assets and click Devices. If your devices show "Not onboarded," that means Defender for Business is not yet protecting them, even though you're paying for it.
3. Click Settings → Endpoints → Device management → Onboarding.
4. For Windows 10/11 devices that are Azure AD joined and managed by Intune, select "Mobile Device Management / Microsoft Intune" as your deployment method. This is the cleanest path for Microsoft 365 Business Premium environments.
5. For standalone Windows machines not in Intune, download the local script and run it on each machine as an administrator. The script is a .cmd file that calls the Windows Management Instrumentation (WMI) provider to register the device with your tenant.

After onboarding, verify the device appears in the Devices list with a status of "Active" and a risk level of "No known risk" (or your current actual risk level). If the device shows "Inactive" after 24 hours, run this PowerShell command on the endpoint to check the onboarding status:

Get-MpComputerStatus | Select-Object -Property AMRunningMode, OnboardingState

A healthy result shows OnboardingState: 1 (onboarded). If you see 0, the onboarding script didn't complete successfully, re-run it in an elevated PowerShell session.

Next, head to security.microsoft.com → Configuration management → Endpoint security policies and apply the pre-built Microsoft-recommended security baselines. These are the same policies that Microsoft recommends in their Zero Trust security model guidance and are tuned specifically for Microsoft 365 Business Premium deployments.

Phishing and malicious attachments are the number-one entry point for ransomware attacks in small and medium-sized businesses. Microsoft 365 Business Premium includes Defender for Office 365 Plan 1, which contains two critical email security features: Safe Links and Safe Attachments. Both are off by default on new tenants.

To activate Safe Attachments:

1. Go to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Safe Attachments.
2. Click "+ Create" to create a new policy. Name it "Block Malicious Attachments – All Users".
3. Under Applied to, select your domain (e.g., @yourcompany.com) to cover all users.
4. Set the action to "Block", this quarantines the message and replaces the attachment with a notification. Do not use "Monitor only" in a production environment, that setting lets the attachment through while logging it.
5. Enable "Redirect attachment on detection" and enter a security admin email address so you get notified of blocked items.

For Safe Links, go back to Threat policies → Safe Links → "+ Create". The key setting here is "Track user clicks", enable this. It records when users click links in emails, which is invaluable for incident response if you ever need to trace how a phishing campaign spread through your organization. Also enable "Let users click through to original URL" only if you have a specific business reason, leaving this off (the safer default) means users cannot bypass the Safe Links warning page.

Once both policies are active, send a test phishing email to yourself using the Microsoft Attack Simulator at security.microsoft.com → Email & collaboration → Attack simulation training. If Safe Attachments and Safe Links are working, the simulator's test payload should be caught and quarantined within seconds.

One of the most powerful, and most commonly skipped, features in Microsoft 365 Business Premium is the ability to manage and secure all employee devices from a single pane of glass. This includes Windows PCs, Macs, iPhones, iPads, and Android phones. The management backbone is Microsoft Intune, which is fully included in your Business Premium subscription.

For Windows 10/11 devices, the cleanest enrollment path is Azure AD Join + automatic Intune enrollment:

1. Go to entra.microsoft.com → Devices → Device settings.
2. Under "Users may join devices to Azure AD", select All (or a specific group if you're piloting).
3. In the Intune admin center at intune.microsoft.com, go to Devices → Enrollment → Windows enrollment → Automatic Enrollment.
4. Set MDM user scope to All. This tells Intune to automatically enroll any Windows device that joins your Azure AD.
5. On the Windows device itself, have the user go to Settings → Accounts → Access work or school → Connect and sign in with their Microsoft 365 Business Premium account. The device will join Azure AD and auto-enroll in Intune simultaneously.

For Mac enrollment, deploy the Company Portal app from the Mac App Store and have users sign in with their Microsoft 365 credentials. For iOS/Android, the Company Portal app from their respective app stores handles enrollment.

Once devices are enrolled, you can push configuration profiles, enforce disk encryption (BitLocker on Windows, FileVault on Mac), require device compliance for access to company data, and remotely wipe a lost or stolen device. This last capability alone, remote wipe, is something I've seen save businesses from serious data exposure when a laptop gets stolen.

After enrollment, check intune.microsoft.com → Devices → All devices and confirm each device shows a Compliance state of "Compliant". Non-compliant devices should be investigated immediately, common reasons include outdated OS versions, missing BitLocker encryption, or the device not checking in within the expected timeframe (event ID 2 in the Intune Management Extension log at %ProgramData%\Microsoft\IntuneManagementExtension\Logs).

Microsoft 365 Business Premium's official documentation specifically calls out protection against ransomware and data loss as core value propositions of the platform. Setting this up involves two separate but complementary systems: Exchange mail flow rules for ransomware defense, and Microsoft Purview for data loss prevention (DLP).

For ransomware protection via mail flow rules:

1. Go to admin.exchange.microsoft.com → Mail flow → Rules → + Add a rule → "Create a new rule".
2. Name the rule "Block Ransomware File Extensions".
3. Under "Apply this rule if", select Any attachment → file extension includes these words. Add extensions commonly used in ransomware droppers: exe, bat, cmd, vbs, js, scr, ps1, hta, jar.
4. Under "Do the following", select Block the message → Reject the message and include an explanation. Enter a message like: "This message was blocked because it contained an attachment type that is not permitted for security reasons. Contact your IT administrator if this is legitimate."
5. Set the rule priority to 0 (highest) so it evaluates before other rules.

For DLP, go to compliance.microsoft.com → Data loss prevention → Policies → + Create policy. Microsoft ships several pre-built policy templates for common compliance scenarios (GDPR, financial data, health records). For most small and medium-sized businesses using Microsoft 365 Business Premium, start with the "U.S. Personally Identifiable Information (PII) Data" template, it catches Social Security numbers, credit card numbers, and passport numbers being sent outside your organization.

Set DLP policy actions to "Notify users" first (policy tip mode) for a week, then escalate to "Block and notify" once users are aware. Jumping straight to block mode can cause legitimate business emails to fail, and that generates support calls you don't want. Event logs for DLP policy matches appear in the compliance.microsoft.com → Audit section under the activity type DLPRuleMatch.